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Have you filled in the speaker evaluation 

form? 
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Sexy Defense 

t Maximizing the Home-Field Advantage 



ft \ % Iftach Ian Amit 





Agenda 
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• Whoami 

• Background - the Red Team was here... 

• What do they actually say? Reading reports 101 

• Methodology - flipping the Red-Team 

• Map 

• Correlate 

• Act 

• Examples 

• Conclusions 



ce* 
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Background 


You had a vulnerability assessment done. 
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Background 


And you passed a pentest. 
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Background 


What did you ACTUALLY get? 



Compliance? +++ 



Background 


And then you had a Red-Team test 
come in and wreck havoc... 



Background 


How does that make you feel? 
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Reading bad reports 


• Here comes the boring part...Terminology... 

• vulnerability 

• exposure 

• threat 

• risk 

• (yeah - you gotta be able to do suite talk 
to get the $$$). 
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Vulnerability 

You’ll find a lot of these in reports... 


“An issue with a software component that, when abused 
(exploited) can lead to anything from the software crashing, 
to compromising the system on which the software is 
installed so that the attacker can have full control over it. 
Additionally, vulnerabilities also refer to logic and 
operational issues - whether in computing systems, 
in processes and procedures related to the business 
operations, patch management, or even password policies.” 


Exposure 
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• Say what? 


• Usually will connect vulnerabilities to a 
threat model relevant for the tested 
organization 



Threat 
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“Anything capable of acting against an asset 
in a manner that could result in harm” 


Defined by:Threat Community,Threat 
Agents. 

• Capabilities 

• Accessibility to assets 
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Ever seen one of these in a report? A real one? 


• The probability of something bad™ happening to 
an organization’s asset. 

• Yes, probability == math. Coherently 

formulate the elements (vuIn, exposure, threat) 
into a risk score. 

• Repeatable, and defensible from a logical 
perspective 


Methodology 
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Take a look at how we have been 
practicing attack and defense. 


For a VERY long time... 



Defender view 
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Attacker view 
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What it means? 


Attack 

k K K K k 


Intelligenc^ 

Gathering^ 

Vuln. 1 
Research k 

Explolt ] 

Control , 

Post ^ 






Threat ^ 
Modeling^ 

Intelligenc^ 

Gathering^ 

Data ^ 
Correlatioi^ 

Detectioi^ 

Mitigate 1 
& Contain 1 


f V V 


Defend 


Remember! 


It’s not about: 

Having a mindset of 
constant improvement 

Egos 

There will always be gaps 

People 

in the defense 

Skills 

• Identify 

• Remediate 

IT’S NOT FAIR! 

• In the CONTEXT of 
RISK 


IT’S NOT FAIR! 


Map (information & 
Security assets) 

• I st - What is the 
business doing 
anyway? 

• How does it make $? 

• Processes, assets, 
people, technology, 

3rd parties... 

• Security and 
Intelligence assets... 


COMMIES 



See how America 
vatoarrty defends 
(Hew by bombing * 
small countries 


COLD Santa Claus 
lives here. 


►Some this way too 



Stay 
out 

commies 
mi over 

here somevrtiere „ 

omefy 

people with 
our enemies big hats 

they must be 
destroyed 


CANADA 

Our friendly but 
backwards neighbours 


USA 

Land of the free 


COMMIES 

Go away 

commies , . . 

\ |\. Scotnland 

/* and Id and 



and of the brave etc. 


- 1 

Mr Donalds go see > YUROP 

e r vbody the Queen \y 


Commies are 




/ Eve 
toves them 



No TV 

or escalators 

COMMIES 

They want to destroy our 
great democracy with the# 
err cigars 





No civilisation 
People eat each other here 












Map (exposures & 

Issues) 
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• Start from a report (vuln, pt, red-team). 

• Work up from there while weeding out 
all the irrelevancies 
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Simplified mapping of assets, processes, people, 
vulnerabilities, and controls 











































Everywhere, from 
everything. 

Storage != $ 

Measure twice, cut 
once == get all logs, 
filter later 
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Raw intelligence 

Marketing • Analysis 

Sales • CERTS 

Business Development • Market news 

Competitors • Forums 

Partners 


Customers 


Early warning signs 


Weird PC behavior 

Volume of calls to 
support 


File permissions 

Access to specific files 
on network storage 


Physical elements 
around the office 

Sales inquiries 

Probes on a website 


Employee awareness 

WARNING 



CHALLENGES 

AHEAD 




Stalkers 


Tailgaters 
Smokers 
Construction 
Sales leads 
IT guys 
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AWARENESS 











Correlate 


I Active 



external events and timelines 



Local news, 

Sports, entertainment, financial 
Regional news 

National events 

International stuff 





















I Active 


[INSERT] 

Examples timeline of 

actual events 
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• Building up your defense mojo 

• Training people to identify, report, react 

• Combining technology into the mix 

• Working with others (peers, vendors, intel 
sources, government?) 



Assess where YOU are! 


• Get a clear view of your current security 
posture 

• Lying to yourself isn’t going to make you 
feel better 

• At least in long run... :-| 


I Active 



Constant development 


• Expect changes 

• Processes, partners, customers, 3rd parties, 
internal services/products, people, culture, 

• Embrace changes - never “sign off” into a finite 
strategy document. Make it a “living” document. 

• Educate people about it. 

• Show how it adapts according to the business. 
TO SUPPORT IT! 
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Align outwards 


> Compare notes with peers 

* Keep track of what’s new on the offensive side 
• And how it relates to you 

* Never accept a successful audit or compliance to 
\ regulation as a sign of effective defense 

•» Will usually prove the opposite 

• Great - you are now one with the lowest 
common denominator of the lowest 
bidders... 


It’s not about: 
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Tech 


r ^ 

People 

l j 


r 


Skill 
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It’s about: 


Cat Herding 


Counter-intel 
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Own up to YOUR information 
Set traps 
Intelligence 
Technology 


Booby-trap tools, work with LE, and most 
importantly: LEGAL 






IANAL! 
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Exampl 









1. Identify your threat communities / agents 

2. Locate their “hangouts” (where they get toolz) 

3. Infiltrate to get info 

4. Manipulate “stuff” 

1. Backdoor it. 

2. Make sure it leaves a distinct signature. 

5. Update custom signature in detection systems 

6. Kick back, and watch the fun 


i j toll i ^ uti l 


. : j-ij-i lJi 4 gli>^> : . 

cuLSjjg all I cun;g p .£ik ^UinJI 

—— 


g-Uji Nj-RaT 


No-ip Vj «i 




cjij^aa]) 


JjjgUl* + <«Lu» jiya 3 _ 

£AiU *jb}_ 

Firefox + No-ip + dynDns + Filezella + IMVU + Pidgin cMjj^ 

Process -Si __ 

(*jfci 1 ++ <JjL4 *jkj <> JL-jt ++ Cx** >3) J*i>Si _ 

J** AjxyaH jtf* JljSI JjLuu _ 

J^Luuii jUm} jU&) j Ja^tj Jj*Vi 


Win 7 
Vista 
XP SP3 

framework 2.0 -Si Win2000 jj' Xp sp2 JU fivi <^i <>* 

; ji**si t* r*j 3 * 

” >^v j* Channe Ji j*2dill>3 J-4* 


ESI Nj-RaT vO 22 Beta^ 


Channel () 


Victims (0) 


Status 


Builder 


Setting 


Nick 


EH 


Ch 


EH Nj-RaT vO.2.2 Beta 


njnj 

Channel 

#nj-02j 

irc.newnet.net 

6667 




Connect 



.2.2 


timate l united btates 


Channel ( 2) 

rn ^_ 

Victims (1) | Status 

Builder 

Setting 


IRC 

Host 

Port 

install 

f - * Copy 

|irc.newnet.net 

|6667 

Path |Temp 


A 

Victim Nick 

Hacker Nick 

























































































Demo time 


1. Take RAT 

2. Find appropriate location 

3. Insert RAT 

4. Release 

5. Profit? 










+ Responder tema 


Tema: Fungus Keylogger FUD 



Leoric o 

Usuari© Habitual 



Fecha de ingreso: 23feb, 11 
Ubicacion: Mexico 

Mervsajes: 548 


Fungus Keylogger FUD 

Hola senores de Udtools, 

les traigo esta humilde modificacion que termine hace un par de minutos.. 
No es la gran cosa, pero bueno.. hago la lucha :) 
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Select Sliij . . Stub Properties: [32bit Rixfime)-[64bit scortiinc] 


Select 


Public Extra Options 
Zi EOF Data 


Key Generation- 

Encryption Key 


—I r Golden Extra Options —\ r Ultimate Extra Options - 


■News /Updates:- 

Crypt/Output Status: FUD 

Bug Reports: DarkComet bug fixed 

VIP Version removed. 


O Gotden Version 


Protect 



(•)Selection of stub [3 Stubs Included! 

[•JEncryptlon Key (Generate) 
[*)C!ean & Professional GUI. 
[■]Smali .Net 2.0 Dependency 
(•JScan & Runtime FUD 
[•JWorks on all Windows OS (XP/Vista/7) 
(•^Strong Encryption 
(•JCrypts 100% FUD Output 
and much more. 


Scan url: http://vscan.novlrusthanks.org/analysls/17186851a939f50457blelbc8a2cl367/aGYtaG9wc2luLWV4ZQBa/ 


Download: 

http://www.mediaflre.com/7129a7qm95n717f3 

or 

http://incredible-downloads.net 


You can request 1 password of 1 stub only. Do_ PM me . 

P.S I’ll send the password(s) to the ones I feel they deserve to. Your post amount nor your reputation counts so don't bother or whine. I can deny anyone for any reason. 













Demo 


1. Obtain crypter 

2. Enhance [not in this demo] 

3. Embed RAT 

4. Release 

5. Profit? 



Sacrifice with Nike and Apollo 





























Law is hackable 
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• Don’t think that it’s impossible to get by 
with these things... 


• Example: Microsoft’s takedown of Bredolab 
- legal bypass by using trademark 
infringement claims 

• Directly affect infected computers! 
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Kippo 

www.jayscott.co.uk - - + o 


bash-4.1$ honeypot/utlls/playlog.py 0edaa36c5deelle09eS10623cdb4a7c5.log 
sales;-# | 


http://code.google.eom/p/kip po/ 






Artillery 

Open up listeners on multiple ports 

Anything that touches them gets blacklisted 

• You can play with this to report instead of 
blacklist... 

Monitor filesystem changes and email diff to you. 
Block SSH brute-force attacks 


svn co http://svn.secmaniac.com/artillery artillery/ 



ThenrTechnology 
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• Find stuff that works FOR you. Or make it. 

• SIEM/SOC would be a major focus 

• Other correlation engines 

• Feed technology all the data it can handle 

• Financial info? Semantic data? Google 
Alerts? —> Anything goes... 


Counter Intelligence Use-Case 


Situation: Financial fraud being run from 
dormant accounts 

Data:Account that have not been accessed 
in over a year are used for money laundering 
and international transfers. Fraud is either 
run internally or externally (not sure). 

The bait: Create several tracked accounts, 
add to list of dormant accounts. Make copies 
of list and place on several network shares. 


The catch: No unauthorized access to the 
copies of the account list. Dormant account 
list accessed through internal system, user 
account identified and tracked.Tracked 
account used for international transfer of 
funds. Internal user’s pc was taken for 
maintenance. Forensic investigation 
uncovered a Trojan installed on it.Trojan 
tracked back to C&C in eastern Europe 
while continuous activity performed from it 
on internal financial systems. Criminal group 
identified and prosecuted. 


I Active 


Play nice with others 


CERTS 

Government 

Peers 


Competitors 


Conclusions 
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The whole is greater 
than the sum of its 

elements 



Call for Action 
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Vendors: 

► Start working on 
products that can 
“communicate” with 
information 

► Loosely typed data 

► Language processing of 
arbitrary data formats 

► Correlation across 
sources AND over 
time 


Defenders: 

► Own up to your data, 
network, and business 

► Gather intelligence on 
your potential 
adversaries 

► Focus your defenses on 
assets, not compliance 
or “best practices” 

► Take the initiative! 
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Speaker evaluation 

form 

Y \j no complete it? '• 



ktnxbye! 

Questions? 

Paper available at: http://iamit.org/docs/sexydefense.pdf 
twitter: @iiamit 


*lmage credits: Google Images and the Internetz 








